[deploy] Fix: helm resources; workflow ubuntu; Docker logging (#3405)

sillsdev · Oct 30, 2024 · e349e02 · e349e02
1 parent 55384c3
commit e349e02
Show file tree

Hide file tree

Showing 30 changed files with 124 additions and 74 deletions.
diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml
@@ -35,15 +35,14 @@ jobs:
             github.com:443
             md-hdd-t032zjxllntc.z26.blob.storage.azure.net:443
             objects.githubusercontent.com:443
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Setup dotnet
         uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1
         with:
           dotnet-version: ${{ matrix.dotnet }}
       - name: Install ffmpeg
         uses: FedericoCarboni/setup-ffmpeg@36c6454b5a2348e7794ba2d82a21506605921e3d # v3
-
-      # Coverage.
       - name: Run coverage tests
         run: dotnet test Backend.Tests/Backend.Tests.csproj
         shell: bash
@@ -54,19 +53,16 @@ jobs:
           name: coverage
           path: Backend.Tests/coverage.cobertura.xml
           retention-days: 7
-
-      # Development build.
-      - run: dotnet build BackendFramework.sln
-
-      # Release build.
-      - run: dotnet publish BackendFramework.sln
-
-      # Fmt.
-      - run: dotnet format --verify-no-changes
+      - name: Development build
+        run: dotnet build BackendFramework.sln
+      - name: Release build
+        run: dotnet publish BackendFramework.sln
+      - name: Format check
+        run: dotnet format --verify-no-changes
 
   upload_coverage:
     needs: test_build
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
@@ -146,8 +142,8 @@ jobs:
         uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
 
   docker_build:
+    if: ${{ github.event.type }} == "PullRequest"
     runs-on: ubuntu-22.04
-    #    if: ${{ github.event.type }} == "PullRequest"
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
@@ -170,7 +166,8 @@ jobs:
             ts-crl.ws.symantec.com:80
       # For subfolders, currently a full checkout is required.
       # See: https://github.com/marketplace/actions/build-and-push-docker-images#path-context
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
       - name: Build backend

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -13,10 +13,10 @@ name: "CodeQL"
 
 on:
   push:
-    branches: ["master"]
+    branches: [master]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: ["master"]
+    branches: [master]
   schedule:
     - cron: "21 8 * * 3"
 
@@ -26,7 +26,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     permissions:
       actions: read
       contents: read

diff --git a/.github/workflows/combine_deploy_image.yml b/.github/workflows/combine_deploy_image.yml
@@ -11,7 +11,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.

diff --git a/.github/workflows/database.yml b/.github/workflows/database.yml
@@ -10,7 +10,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 jobs:
   docker_build:
     if: ${{ github.event.type }} == "PullRequest"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
@@ -26,7 +26,8 @@ jobs:
             registry-1.docker.io:443
       # For subfolders, currently a full checkout is required.
       # See: https://github.com/marketplace/actions/build-and-push-docker-images#path-context
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
       - name: Build database image

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -14,7 +14,7 @@ permissions:
 
 jobs:
   dependency-review:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1

diff --git a/.github/workflows/deploy_qa.yml b/.github/workflows/deploy_qa.yml
@@ -13,7 +13,7 @@ jobs:
       matrix:
         component: [frontend, backend, maintenance, database]
 
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     outputs:
       image_tag: ${{ steps.build_combine.outputs.image_tag }}
     steps:
@@ -64,7 +64,7 @@ jobs:
           build_component: ${{ matrix.component }}
   clean_ecr_repo:
     needs: build
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.

diff --git a/.github/workflows/deploy_release.yml b/.github/workflows/deploy_release.yml
@@ -13,7 +13,7 @@ jobs:
     strategy:
       matrix:
         component: [frontend, backend, maintenance, database]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     outputs:
       image_tag: ${{ steps.build_combine.outputs.image_tag }}
     steps:

diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml
@@ -11,7 +11,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 
 jobs:
   lint_build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     strategy:
       matrix:
         node-version: [20]
@@ -40,7 +40,7 @@ jobs:
       - run: npm run build
 
   test_coverage:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     strategy:
       matrix:
         node-version: [20]
@@ -64,7 +64,8 @@ jobs:
         with:
           node-version: ${{ matrix.node-version }}
       - run: npm ci
-      - run: npm run test-frontend:coverage
+      - name: Run tests and generate coverage
+        run: npm run test-frontend:coverage
         env:
           CI: true
       - name: Upload coverage artifact
@@ -77,7 +78,7 @@ jobs:
 
   upload_coverage:
     needs: test_coverage
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
@@ -110,8 +111,8 @@ jobs:
           name: Frontend
 
   docker_build:
-    runs-on: ubuntu-latest
     if: ${{ github.event.type }} == "PullRequest"
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
@@ -128,7 +129,8 @@ jobs:
             pypi.org:443
             registry-1.docker.io:443
             registry.npmjs.org:443
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
       - name: Build frontend

diff --git a/.github/workflows/maintenance.yml b/.github/workflows/maintenance.yml
@@ -10,7 +10,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 jobs:
   docker_build:
     if: ${{ github.event.type }} == "PullRequest"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
@@ -30,7 +30,8 @@ jobs:
             security.ubuntu.com:80
       # For subfolders, currently a full checkout is required.
       # See: https://github.com/marketplace/actions/build-and-push-docker-images#path-context
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
       - name: Build maintenance image

diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml
@@ -12,7 +12,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 
 jobs:
   deploy:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.

diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
@@ -11,7 +11,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 
 jobs:
   tox:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     strategy:
       matrix:
         python-version: ["3.12"]

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -21,7 +21,7 @@ permissions: read-all
 jobs:
   analysis:
     name: Scorecards analysis
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     permissions:
       # Needed to upload the results to code-scanning dashboard.
       security-events: write

diff --git a/deploy/helm/aws-login/templates/aws-ecr-login-cronjob.yaml b/deploy/helm/aws-login/templates/aws-ecr-login-cronjob.yaml
@@ -59,7 +59,11 @@ spec:
                 configMapKeyRef:
                   key: DOCKER_EMAIL
                   name: {{ .Values.awsEcr.configName }}
-            resources: {}
+            resources:
+              requests:
+                memory: 128Mi
+              limits:
+                memory: 128Mi
             securityContext:
               capabilities: {}
             terminationMessagePath: /dev/termination-log

diff --git a/deploy/helm/aws-login/templates/aws-ecr-login-oneshot.yaml b/deploy/helm/aws-login/templates/aws-ecr-login-oneshot.yaml
@@ -59,7 +59,11 @@ spec:
             configMapKeyRef:
               key: DOCKER_EMAIL
               name: "{{ .Values.awsEcr.configName }}"
-        resources: {}
+        resources:
+          requests:
+            memory: 128Mi
+          limits:
+            memory: 128Mi
         securityContext:
           capabilities: {}
         terminationMessagePath: /dev/termination-log

diff --git a/deploy/helm/cert-proxy-client/templates/update-cert-cronjob.yaml b/deploy/helm/cert-proxy-client/templates/update-cert-cronjob.yaml
@@ -73,7 +73,11 @@ spec:
                     configMapKeyRef:
                       key: VERBOSE
                       name: {{ .Values.envName | quote }}
-              resources: {}
+              resources:
+                requests:
+                  memory: 128Mi
+                limits:
+                  memory: 128Mi
               securityContext:
                 capabilities: {}
               terminationMessagePath: /dev/termination-log

diff --git a/deploy/helm/cert-proxy-client/templates/update-cert-oneshot.yaml b/deploy/helm/cert-proxy-client/templates/update-cert-oneshot.yaml
@@ -72,7 +72,11 @@ spec:
             configMapKeyRef:
               key: VERBOSE
               name: {{ .Values.envName  | quote }}
-        resources: {}
+        resources:
+          requests:
+            memory: 128Mi
+          limits:
+            memory: 128Mi
         securityContext:
           capabilities: {}
         terminationMessagePath: /dev/termination-log

diff --git a/deploy/helm/cert-proxy-server/templates/deployment-cert-proxy-server.yaml b/deploy/helm/cert-proxy-server/templates/deployment-cert-proxy-server.yaml
@@ -66,9 +66,9 @@ spec:
           resources:
             requests:
               cpu:  2m
-              memory: 100M
+              memory: 128Mi
             limits:
-              memory: 150M
+              memory: 128Mi
       restartPolicy: Always
 {{- if ne .Values.global.pullSecretName "None" }}
       imagePullSecrets:

diff --git a/deploy/helm/cert-proxy-server/templates/deployment-nuc-proxy.yaml b/deploy/helm/cert-proxy-server/templates/deployment-nuc-proxy.yaml
@@ -51,9 +51,9 @@ spec:
           resources:
             requests:
               cpu:  1m
-              memory: 10M
+              memory: 128Mi
             limits:
-              memory: 50M
+              memory: 128Mi
           volumeMounts:
             - name: nginx-html
               mountPath: /usr/share/nginx/html

diff --git a/deploy/helm/create-admin-user/templates/job-create-admin-user.yaml b/deploy/helm/create-admin-user/templates/job-create-admin-user.yaml
@@ -50,7 +50,11 @@ spec:
           image: {{ include "create-admin-user.containerImage" . }}
           imagePullPolicy: {{ .Values.global.imagePullPolicy }}
           name: create-admin-user
-          resources: {}
+          resources:
+            requests:
+              memory: 128Mi
+            limits:
+              memory: 128Mi
           volumeMounts:
             - mountPath: /home/app/.CombineFiles
               name: backend-data

diff --git a/deploy/helm/thecombine/charts/backend/templates/deployment-backend.yaml b/deploy/helm/thecombine/charts/backend/templates/deployment-backend.yaml
@@ -100,7 +100,7 @@ spec:
           resources:
             requests:
               cpu: 5m
-              memory: 960Mi
+              memory: 2Gi
 {{- if .Values.global.includeResourceLimits }}
             limits:
               memory: 4Gi

diff --git a/deploy/helm/thecombine/charts/database/templates/database.yaml b/deploy/helm/thecombine/charts/database/templates/database.yaml
@@ -51,7 +51,7 @@ spec:
           resources:
             requests:
               cpu:  25m
-              memory: 950Mi
+              memory: 1Gi
 {{- if .Values.global.includeResourceLimits }}
             limits:
               memory: 2Gi

diff --git a/deploy/helm/thecombine/charts/frontend/templates/deployment-frontend.yaml b/deploy/helm/thecombine/charts/frontend/templates/deployment-frontend.yaml
@@ -77,10 +77,10 @@ spec:
           resources:
             requests:
               cpu:  1m
-              memory: 15M
+              memory: 128Mi
 {{- if .Values.global.includeResourceLimits }}
             limits:
-              memory: 40M
+              memory: 128Mi
 {{- end }}
           volumeMounts:
             - mountPath: /usr/share/nginx/fonts

diff --git a/deploy/helm/thecombine/charts/maintenance/templates/cronjob-daily-backup.yaml b/deploy/helm/thecombine/charts/maintenance/templates/cronjob-daily-backup.yaml
@@ -33,9 +33,9 @@ spec:
             resources:
               requests:
                 cpu:  200m
-                memory: 150M
+                memory: 128Mi
               limits:
-                memory: 150M
+                memory: 128Mi
             securityContext:
               capabilities: {}
             terminationMessagePath: /dev/termination-log

diff --git a/deploy/helm/thecombine/charts/maintenance/templates/cronjob-update-fonts.yaml b/deploy/helm/thecombine/charts/maintenance/templates/cronjob-update-fonts.yaml
@@ -30,7 +30,11 @@ spec:
               - deployment/maintenance
               - --
               - get-fonts.sh
-            resources: {}
+            resources:
+              requests:
+                memory: 128Mi
+              limits:
+                memory: 128Mi
             securityContext:
               capabilities: {}
             terminationMessagePath: /dev/termination-log